Cryptanalysis of Prime Power RSA with two private exponents

Abstract: In this paper, we consider a variant of RSA schemes called Prime Power RSA with modulus N = p r q for r 2, where p, q are of the same bit-size. May showed that when private exponent, N can be factored in polynomial time in PKC 2004. Later in 2014, Sarkar improved the bound for r 5. We propose a new cryptanalytic method to attack this RSA variant when given two pairs of public and private exponents, namely (e 1 , d 1 ) and (e 2 , d 2 ) with the same modulus N . Suppose that we know d 1 < N δ 1 and d 2 < N δ 2 .… Show more

“…. Also, we assume σ 1 = σ 2 = σ 3 = σ in order to compare our results with the theoretical results of [1], [2], [3], [4] and [5], our work show that for 5 ≤ r ≤ 10 we obtain better bounds. The rest of the paper is organised as follows.…”

“…In order to make comparison with other bounds, we assume σ 1 = σ 2 = σ 3 = σ as shown in Table 3 From Table 3.2, one can observe that, our bound is better than [2], [4] and [5] for r ≥ 2 and also better than all the compared bounds for 5 ≤ r ≤ 10.…”

“…Lu et al [3] proved that prime power modulus N = p r q when r ≥ 2 can be factored efficiently when the decryption exponent bound d < N r(r−1) (r+1) 2 . Moreover, Zheng and Hu [2] proposed a cryptanalysis lattice-based construction attack on prime power RSA modulus N = p r q for r ≥ 2 with two decryption exponents where they have shown that N is insecure when δ 1 δ 2 < N ( r−1 r+1 ) 3 where d 1 < N δ 1 and d 2 < N δ 2 . By assuming δ 1 = δ 2 = δ , [2] made comparisons with previous results of [1,4] when r ≥ 4.…”

“…Moreover, Zheng and Hu [2] proposed a cryptanalysis lattice-based construction attack on prime power RSA modulus N = p r q for r ≥ 2 with two decryption exponents where they have shown that N is insecure when δ 1 δ 2 < N ( r−1 r+1 ) 3 where d 1 < N δ 1 and d 2 < N δ 2 . By assuming δ 1 = δ 2 = δ , [2] made comparisons with previous results of [1,4] when r ≥ 4. In this paper, we employ a similar approach to [2] using lattice-based approach except that we utilize three pairs of public and private exponents (e 1 , d 1 ), (e 2 , d 2 ), and (e 3 , d 3 ) of RSA variant N = p r q for r ≥ 2 with three decryption exponents sharing common modulus N, and prove that the security of prime power moduli N can be broken and prime factors p and q can be factored in polynomial-time.…”

Asymptotic Bound for RSA Variant with Three Decryption Exponents

“…. Also, we assume σ 1 = σ 2 = σ 3 = σ in order to compare our results with the theoretical results of [1], [2], [3], [4] and [5], our work show that for 5 ≤ r ≤ 10 we obtain better bounds. The rest of the paper is organised as follows.…”

“…In order to make comparison with other bounds, we assume σ 1 = σ 2 = σ 3 = σ as shown in Table 3 From Table 3.2, one can observe that, our bound is better than [2], [4] and [5] for r ≥ 2 and also better than all the compared bounds for 5 ≤ r ≤ 10.…”

“…Lu et al [3] proved that prime power modulus N = p r q when r ≥ 2 can be factored efficiently when the decryption exponent bound d < N r(r−1) (r+1) 2 . Moreover, Zheng and Hu [2] proposed a cryptanalysis lattice-based construction attack on prime power RSA modulus N = p r q for r ≥ 2 with two decryption exponents where they have shown that N is insecure when δ 1 δ 2 < N ( r−1 r+1 ) 3 where d 1 < N δ 1 and d 2 < N δ 2 . By assuming δ 1 = δ 2 = δ , [2] made comparisons with previous results of [1,4] when r ≥ 4.…”

“…Moreover, Zheng and Hu [2] proposed a cryptanalysis lattice-based construction attack on prime power RSA modulus N = p r q for r ≥ 2 with two decryption exponents where they have shown that N is insecure when δ 1 δ 2 < N ( r−1 r+1 ) 3 where d 1 < N δ 1 and d 2 < N δ 2 . By assuming δ 1 = δ 2 = δ , [2] made comparisons with previous results of [1,4] when r ≥ 4. In this paper, we employ a similar approach to [2] using lattice-based approach except that we utilize three pairs of public and private exponents (e 1 , d 1 ), (e 2 , d 2 ), and (e 3 , d 3 ) of RSA variant N = p r q for r ≥ 2 with three decryption exponents sharing common modulus N, and prove that the security of prime power moduli N can be broken and prime factors p and q can be factored in polynomial-time.…”

Asymptotic Bound for RSA Variant with Three Decryption Exponents

“…These applications as well as its own nice property have made it a hot topic ever since its first introduction. Moreover, there are many analyses and attacks on this scheme, see [17][18][19][20][21][22][23][24].…”

Certifying multi‐power RSA

Attack on the Common Prime Version of Murru and Saettone’s RSA Cryptosystem